add range check for delta field in presign #369

boltlabs-inc · Sep 19, 2023 · 95ed53a · 95ed53a
1 parent a0dde1d
commit 95ed53a
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/src/presign/round_three.rs b/src/presign/round_three.rs
@@ -20,11 +20,12 @@ use crate::{
         Proof, ProofContext,
     },
 };
-use k256::Scalar;
+use k256::{elliptic_curve::PrimeField, Scalar};
 use libpaillier::unknown_order::BigNumber;
 use merlin::Transcript;
 use serde::{Deserialize, Serialize};
 use std::fmt::Debug;
+use tracing::error;
 use zeroize::ZeroizeOnDrop;
 
 #[derive(Clone, ZeroizeOnDrop)]
@@ -100,11 +101,14 @@ impl TryFrom<&Message> for Public {
     fn try_from(message: &Message) -> std::result::Result<Self, Self::Error> {
         message.check_type(MessageType::Presign(PresignMessageType::RoundThree))?;
         let public: Self = deserialize!(&message.unverified_bytes)?;
-        // TODO #369: This should check the validity of `delta` (namely that it
-        // is less than `k256_order()`). However, we are currently using an
-        // older version of the `k256` library that doesn't support comparisons,
-        // making doing this check difficult. Add this check once the `k256`
-        // library has been updated.
+
+        // Normal `Scalar` deserialization doesn't check that the value is in range.
+        // Here we convert to bytes and back, using the checked `from_repr` method to
+        // make sure the value is a valid, canonical Scalar.
+        if Scalar::from_repr(public.delta.to_bytes()).is_none().into() {
+            error!("Deserialized round 3 message `delta` field is out of range");
+            Err(InternalError::ProtocolError)?
+        }
         Ok(public)
     }
 }